Book Three-Chapter 4-Recovering Deleted Files and Deleted Partitions Flashcards Preview

Computer Forensics > Book Three-Chapter 4-Recovering Deleted Files and Deleted Partitions > Flashcards

Flashcards in Book Three-Chapter 4-Recovering Deleted Files and Deleted Partitions Deck (9)
Loading flashcards...
1

What happens when a file is deleted in Windows?

What Happens When a File Is Deleted in Windows?
When a user deletes a file, the operating system does not actually erase the file. It marks the file name in the master file table (MFT) with a special character that tells the processor that the file has been deleted.

The operating system replaces the first letter of a deleted file name with a hex byte code: E5h. E5h is a special tag that indicates that the file has been deleted. The corresponding cluster of that file in FAT is marked as unused, though it will continue to contain the information until it is overwritten.

2

How does the Recycle Bin work in Windows?

The Recycle Bin in Windows
The Recycle Bin is located on the Windows desktop. When a user deletes an item from the hard disk, the Recycle Bin icon changes from empty to full. However, this item has not actually been erased. It is tagged as information to be deleted. When the user empties the Recycle Bin, he or she is telling the computer that the space those files used is now free to store new information.

Items deleted from removable media, such as a flash memory card or network drive, are not actually stored in the Recycle Bin. When a user ejects the removable media, he or she will no longer be able to access the files he or she deleted or moved to the Recycle Bin. The items present in the Recycle Bin still take up dedicated, adjustable space on the hard disk. These items can be restored to their original positions with the help of the Restore all items option of the Recycle Bin. After being deleted from the Recycle Bin, these items still take up space in the hard disk until the operating system overwrites the location where the information is stored.

When the Recycle Bin becomes full, Windows automatically deletes the older items. Because the Recycle Bin takes up a specific space on each partition of the hard disk, very large items are not stored in the Recycle Bin. They are deleted permanently.

A user can manipulate the Recycle Bin in a number of ways. The following steps show how to change the storage capacity of the Recycle Bin:

Right-click on Recycle Bin and choose Properties.

Increase or decrease the storage capacity by moving the bar.

The following steps show how to restore files in the Recycle Bin:

Open Recycle Bin.

Right-click the item to restore. Then choose Restore.

It is possible to select more than one item to restore. Select the items to restore, and choose Restore All.

The following steps show how to delete files in the Recycle Bin:

Open Recycle Bin.

Right-click the file to delete, and choose Delete.


By default, the Recycle Bin was 10 percent of the user’s quota on the volume in Windows XP. In later versions of Windows, the default size is 10 percent of the first 40 GB of quota, and 5 percent of any quota above 40 GB. Items that exceed the capacity of the Recycle Bin are deleted immediately.

How the Recycle Bin Works
Each hard disk has a hidden folder named Recycled. This folder contains the files deleted from Windows Explorer or My Computer.

Deleted files are stored in the Recycled folder. Each deleted file in the folder is renamed. A hidden file called INFO2 holds the original names and paths. This information is used to restore the deleted files to their original locations.

The syntax for renaming is the following: Dxy.ext.

All recycled files begin with the letter D; D denotes that a file has been deleted.

The second letter (x) is the letter of the drive where the file is located. If the file resides on the main hard drive, it will be the letter C. If it is on the floppy drive, it will be the letter A.

The final piece (y) denotes a sequential number starting from 0.

The file will keep the same extension as the original file, such as .doc or .pdf.

Consider the following example:

New file name: Dc1.txt = (C drive, second file deleted, a .txt file)

INFO2 file path: C:\Windows\Desktop\Forensics.txt

New file name: De7.doc = (E drive, eighth file deleted, a .doc file)

INFO2 file path: E:\Homework\James Joyce Essay.doc

3

Why are the Recycle Bin folders differently named on NTFS and FAT file systems?

The Recycle Bin folders in FAT and NTFS have two different names to avoid confusion, in case a computer system has both file systems, or a file system is converted to another file system, as when FAT is converted to NTFS.

FAT and NTFS Recycle Bins have different internal structures. All recycled files in the FAT system are dumped into a single C:\RECYCLED directory, while recycled files on the NTFS system are categorized into directories named as C:\RECYCLER\S- . . . ., based on the user’s Windows security identifier (SID).

4

Explain the following: a. Damaged or deleted INFO 2 file.
b. Damaged Recycled folder

Damaged or Deleted INFO2 File
Once the INFO2 file is damaged or deleted, it will not appear in the Recycle Bin, but the deleted renamed files will still be present in the Recycled folder. Because the files were renamed in the Recycled folder, but not changed, they can be searched and restored by locating the file based on the new naming convention and renaming the file.

When the INFO2 file is deleted, it will be re-created when a user restarts Windows. If the Recycle Bin is damaged and not working, the user must delete the hidden INFO2 file from the Recycled folder and restart Windows to re-create the INFO2 file; this will enable the user to access the deleted files in the Recycle Bin. A user can also delete the INFO2 file from a command prompt window:

cd recycled

attrib -h inf*

del info

a. Damaged Files in the Recycled Folder
Damaged or deleted files will not appear in the Recycle Bin. In such cases, follow the steps below to recover the deleted files:

Make a copy of the Recycled\Desktop.ini file in a separate folder, and delete all the contents from the Recycled folder.

Delete all files in the Recycle Bin.

Restore the Desktop.ini file to the Recycled folder.

If there is no Desktop.ini file or if it is damaged, re-create it by adding the following information to a new Desktop.ini file:

[.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E}

b. Damaged Recycled Folder
At times, the Recycled folder itself can be damaged. In this case, a user will still be able to send files to the Recycled folder, even though the Recycle Bin on the desktop appears full. The user will not be able to view the contents of the Recycle Bin, and the Empty Recycle Bin command will also be unavailable.

To fix this, a user needs to delete the Recycled folder and restart Windows; Windows will regenerate the folder and restore its functionality.

The Recycled folder can also be generated from the command prompt:

attrib -s -h recycled

del recycled

Close the command window and restart the computer.

5

Describe the data recovery process in Linux

Data Recovery in Linux
The main advantage that Linux has over Windows is its ability to access and recover data from otherwise problematic machines. All file systems are supported in a standard stock kernel, which should have the ability to support older file systems. Therefore, the Linux kernel supports a large number of file systems, including VxFS, UFS, HFS, and the aforementioned NTFS and FAT systems. Note that Mac OS X is based on OpenBSD and thus uses the same UNIX/Linux kernel.

Individuals can, in some cases, dual-boot Linux and Windows; this can be done by using FAT and NTFS. Data of machines that fail to boot in a Windows environment can easily be recovered using bootable Linux, such as Knoppix.

In Linux, files that are deleted using the command /bin/rm remain on the disk. If a running process keeps a file open and then removes the file, the file contents are still on the disk, and other programs will not reclaim the space. The second extended file system (ext2) is commonly used in most Linux systems. The design of ext2 is such that it shows several places where data can be hidden.

It is worthwhile to note that if an executable erases itself, its contents can be retrieved from a /proc memory image. The command cp /proc/$PID/exe/tmp/file creates a copy of a file in /tmp.


6

How can you delete a partition using the command line?

Deletion of a Partition Using the Command Line
Use the following steps to delete a partition using the command line:

At the command prompt, type diskpart.

At the DiskPart prompt:

Type list disk:

Note the disk number of the disk from which the partition is to be deleted.

Type select disk n:

Selects disk number n.

Type list partition:

Note the number of partitions.

Type select partition n:

Selects partition n.

Type delete partition:

Deletes the partition.

Common Terms
List disk: It gives the list of disks and information about each disk, such as its size, free space available, whether the disk is basic or dynamic, and if the disk uses either a master boot record (MBR) or GUID partition table (GPT) partition.

Select disk: It selects the specified disk; n denotes the disk number.

List partition: It shows the list of partitions in the partition table of the current disk.

Select partition: It selects the specified partition n that denotes the partition number. If the partition is not provided, the select command lists the current partition.

Delete partition: It deletes the partition. Partitions such as a system partition or boot partition, which contains an active paging file or crash dump, cannot be deleted.

7

Write down stepts to delete a partition using the Windows interface


What Happens When a Partition Is Deleted?
When a user deletes a partition on any logical drive, all the data on that drive is lost.

If a user deletes a partition on a dynamic disk, all dynamic volumes on the disk are deleted, thus corrupting the disk.

Deletion of a Partition Using the Windows Interface
Use the following procedure to delete a partition using the Windows interface:

Open Computer Management:

Click Start → Control Panel.

Double-click Administrative Tools → Computer Management.

In the console tree:

Click Computer Management (Local) → Storage → Disk Management.

Right-click the partition, logical drive, or basic volume you want to delete, and then click Delete Partition.

8

Which tools recover deleted files in Linux?

Tools for Use with UNIX-Based Systems
Tool: e2undel
Operating Systems: Linux ext2 only

Web Site: http://e2undel.sourceforge.net/

Cost: Free

The e2undel tool supports Linux systems with the ext2 file system. It includes a library that can recover deleted files by the file name.

Ext2 is an old UNIX file system. When a file is recovered in a medium, three parts of the file should be checked: file content; metadata that contains creation time, date, owner and user rights of the file; and the file name. This tool does not manipulate the internal ext2 structure. It requires only read access to the file system.

This tool is not compatible with other Linux file systems, such as ext3, ReiserFS, XFS, and JFS.

Tool: R-Linux
Operating Systems: Recovers Linux ext2 file system; Host OS: Windows 9x, ME, NT, 2000, XP, Vista, 7, 8

File Types: All

Media: Logical and physical disks, including network drives and removable media

Web Site: http://www.r-tt.com/

Cost: Free

R-Linux is a free data recovery tool that supports the ext2 file system in Linux and other UNIX versions. Files from logical disks are recovered, even if the records are lost. It creates image files for the entire disk/partition, or for a part of it. Such image files can be processed like regular disks. The application recognizes localized names. R-Linux can also recover files that can be saved on any disks accessible by the host operating system.

R-Linux uses a unique IntelligentScan technology and a flexible parameter setting that gives the investigator control over the data recovery. It recovers files from existing logical disks even when file records are lost. R-Linux is a “lite” version of a more powerful file recover utility, R-Studio. R-Studio utilizes the IntelligentScan technology to its full extent, and can recover data from partitions with broken file systems. Also, R-Studio can recover data over a network.

The following are some of the features of R-Linux:

Standard Windows Explorer–style interface

Can save recovered files on any disks visible to the host operating system

Recovers files from disks with bad sectors

Tool: OfficeFIX Platinum Professional
Operating Systems: Windows and Mac OS

File Types: Microsoft Office files only

Media: N/A

Web Site: http://www.cimaware.com/

Cost: $279.00

OfficeFIX is a Microsoft Office recovery suite. OfficeFIX recovers the information from a damaged or corrupted file, and stores it into a new file. It includes data recovery from ExcelFIX, AccesssFIX, OutlookFIX, and WordFIX.

The following are some of the features of OfficeFIX:

It recovers data from MS Access 2013, 2010, 2007, 2003, 2002 (XP), 2000, 97, and 95.

It supports all versions of MS Excel.

It also recovers data from all versions of MS Word documents, including Word for Macintosh.

The following are some of the limitations of OfficeFIX:

It does not recover Excel sheets with:

Password-protected files

Visual Basic and macros

Array formulas

Pivot tables (only cell values are recovered)

It does not recover password-protected access files if the security file option is set.

It does not recover password-protected Word files.

It recovers text data, table data, and basic formatting in a document.

It does not recover Japanese or Chinese characters.

WordFIX cannot currently repair embedded OLE objects in Word documents, such as Excel spreadsheets and Microsoft Visio diagrams, or audio or video files, ActiveX controls, or macros.

Tool: Zip Repair Pro
Operating Systems: Windows

File Types: Compressed files (.zip)

Media: N/A

Web Site: http://www.ziprepair.com/

Cost: $29.95

Zip Repair Pro is a utility that will repair corrupt Zip files. Usually a corrupt Zip file gives the error message:

“Cannot open file: it does not appear to be a valid archive.”

The following are some of the features of Zip Repair Pro:

Creates an error-free backup of a user’s original file for instant access

Fixes CRC errors in .zip files so that data can still be uncompressed

Supports spanned Zip volumes, including the Zip64 format; a user can now repair and extract from a spanned Zip set, even if part of the set is missing.

Supports huge file sizes 2 GB+ (as long as there is enough disk space)

Add Bookmark to this Page

9

Which tool would you use to recover lost partitions? Why?

Tool: DiskInternals Partition Recovery
DiskInternals Partition Recovery is intended for users who need to recover data or lost partitions. DiskInternals Partition Recovery includes a step-by-step wizard and requires no special skills to operate. This product includes DiskInternals NTFS and DiskInternals FAT recovery products.

DiskInternals Partition Recovery recovers data from damaged, deleted, lost, or reformatted partitions, image files, or important documents. The software includes a Partition Recovery Wizard, NTFS Recovery Wizard, and a FAT Recovery Wizard.

DiskInternals Partition Recovery supports a multitude of file systems, including:

FAT12, FAT16, FAT32, and VFAT

NTFS, NTFS4, and NTFS5

ext2, ext3

The tool scans every disk sector for recoverable data. DiskInternals Partition Recovery repairs data from virtual disks, and it does not matter if these files or folders were deleted before recovery or not.

Tool: TestDisk
TestDisk is free data-recovery software. It was primarily designed to help recover lost partitions and/or make nonbooting disks bootable when these symptoms are caused by faulty software, certain types of viruses, or human error (such as accidentally deleting the partition table).

TestDisk supports the following operating systems:

DOS (either real or in a Windows 9x DOS-box)

Windows NT4, 2000, XP, 2003, Vista, 2008, Windows 7 (x86, x64)

Linux

FreeBSD, NetBSD, OpenBSD

SunOS

Mac OS X

TestDisk can find lost partitions for the following file systems:

BeFS (BeOS)

BSD disklabel (FreeBSD/OpenBSD/Net BSD)

CramFS, Compressed File System

DOS/Windows FAT12, FAT16, and FAT32

HFS and HFS+

JFS, IBM’s Journaled File System

Linux ext2 and ext3

Linux Raid

TestDisk queries the BIOS or the OS in order to find the hard disks and their characteristics (LBA size and CHS geometry). TestDisk does a quick check of the user’s disk’s structure, and compares it with the user’s partition table for entry errors. If the partition table has entry errors, TestDisk can repair them. If the user has missing partitions, or a completely empty partition table, TestDisk can search for partitions and create a new table, or even a new MBR, if necessary.

However, it is up to the user to look over the list of possible partitions found by TestDisk and to select the one(s) that were being used just before the drive failed to boot or the partition(s) were lost. In some cases, especially after initiating a detailed search for lost partitions, TestDisk may show partition data that is simply the remnants of a partition that had been deleted and overwritten long ago.

TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a nonbooting drive, which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing on-site recovery